Security Levels - New UI
Security and navigation
SECURITY Administrator
NAVIGATION New UI > Setup > Security Levels
About security levels
Security levels specify and limit the access users have when logged in to the Datto RMM web interface, the Agent Browser, or a Web Remote session or chat. Users can have more than one security level and change them as needed. Security levels can be added, edited, copied, and deleted in both the current UI and the New UI. Users can switch security levels in the current UI, the New UI, and the Agent Browser.
IMPORTANT You must have Administrator security level to be able to add, edit, copy, or delete a security level. For further information, refer to Users in the current UI and Users - New UI in the New UI.
Administrator security level
By default, Administrator security level is assigned to the user who registers a Datto RMM account, and it is the only security level available to assign to new users until other security levels are created. The Administrator security level cannot be modified or edited in any way. Users who have this security level assigned have full and unlimited access to all Datto RMM functionality and can see and connect to all devices in the Datto RMM account.
Creating a security level
Navigate to the Security Levels page by following the navigation path described above. Click Create Security Level and specify the security level details.
Name
Enter a name for the security level.
Description
Enter a description for the security level.
Configuration
Device visibility
This section controls which devices the security level has access to. To include or exclude sites or groups, follow these steps:
- Configure any of the following sections:
- Click On for Sites and then click Add Site.
- Click On for Site Device Groups and then click Add Site Device Group.
- Click On for Device Groups and then click Add Device Group.
- Click On for Site Groups and then click Add Site Group.
IMPORTANT Alerts are not visible in the New UI for users with a security level that only has Device Groups configured in the Device visibility section. In the New UI, users must have permission to see a site in order to see devices within that site and alerts associated with devices.
- From within the pane that opens, click Add for each site or group you wish to include in this security level or click Add All to include all sites or groups. You can use the search bar to search for a site or group, or you can simply scroll down in the list. Click Remove for each site or group you wish to exclude from this security level. When you are finished, click X to close the pane.
- You can also remove sites or groups in bulk or individually on the Create Security Level page by clicking the Remove All button or the Remove icon, respectively.
The table density is set to Condensed Theme by default. To change it to Relaxed Theme, click the density toggle icon at the top right of the table. The selection will persist across all pages.
The number of results displayed can be specified by selecting the desired number from the drop-down menu at the bottom of the table. This selection will persist the next time the page is accessed.
Permissions
This section controls access to various areas of the current UI and the New UI. Enable any of the buttons listed below and set the permission to None, View, or Manage for each area. You can configure the same permission for each area within a section with one click in the top row of the table. When creating a new security level, permissions are set to View for all areas by default.
IMPORTANT Users will be unable to log in if None permission is selected for all areas in their security level's Permissions section.
IMPORTANT The Account and Setup tabs in the current UI will be grayed out if None permission is selected for all areas within Account (current UI) or Global (New UI) and Setup, respectively.
Global
| None | View | Manage | |
|---|---|---|---|
| Dashboard | Current UI:
The Account > Dashboard menu or tab is not displayed. |
Current UI:
The Account > Dashboard menu or tab is displayed. Depending on sites visibility (toggled OFF, for example), the information shown may be limited in scope. |
Current UI:
Same as for View permission. |
| Audit | Current UI:
The Account > Audit menu or tab is not displayed. |
Current UI:
The Account > Audit menu or tab is displayed. Users can view account-level audit information. |
Current UI:
Same as for View permission. |
| Manage | Current UI:
The Account > Manage menu or tab is not displayed. |
Current UI:
The Account > Manage menu or tab is displayed. Patch Management: Refer to Account-level permissions. Software Management: Refer to Account-level permissions. (Deprecated) iOS App Management: Users can view iOS App Management policies. IMPORTANT The Mobile Device Management (MDM) feature is no longer available. For more information, refer to this Community post. Backup Management: Users can view Datto backup appliance data but they cannot add devices. |
Current UI:
The Account > Manage menu or tab is displayed. Patch Management: Refer to Account-level permissions. Software Management: Refer to Account-level permissions. (Deprecated) iOS App Management: Users can view and create iOS App Management policies. IMPORTANT The Mobile Device Management (MDM) feature is no longer available. For more information, refer to this Community post. Backup Management: Users can view and map Datto backup appliance data. |
| Monitor | Current UI:
The Account > Monitor menu or tab is not displayed. |
Current UI:
The Account > Monitor menu or tab is displayed. Users can view monitor alerts and job alerts that have been raised across sites they have access to; however, they cannot resolve alerts and they also cannot disable the monitors that raised the alerts. Users can run jobs if they have Manage permission for Jobs > Active Jobs as well. Only users with Administrator security level can see suspended devices. |
Current UI:
Same as for View permission but users can also resolve monitor and job alerts and disable the monitors that raised the alerts. |
| Support | Current UI:
The Account > Support menu or tab is not displayed. |
Current UI:
The Account > Support menu or tab is displayed. Users can see support tickets raised from the sites they have access to. |
Current UI:
Same as for View permission. |
| Policies | Current UI:
The Account > Policies menu or tab is not displayed. |
Current UI:
The Account > Policies menu or tab is displayed. Users can see what policies have been set in the sites they have access to but they cannot create new ones. Users can see which of their permitted devices are targeted but they cannot toggle policies. Regarding Patch Management policies, refer to Account-level permissions. Regarding Software Management policies, refer to Account-level permissions. |
Current UI:
Same as for View permission but users can also edit individual targets and configure new policies and Patch Management policy overrides. Regarding Patch Management policies, refer to Account-level permissions. Regarding Software Management policies, refer to Account-level permissions. |
| New UI:
The Policies menu is not displayed. However, users with at least View permission for Sites > Policies can see the Policies menu and a list of global policies along with a list of site policies, but they cannot create new global policies or edit, delete, or copy existing ones. In the Device Summary > Policies card, users cannot click the name of a global policy. |
New UI:
The Policies menu is displayed. Users can see the details of global policies if they also have at least View permission for Sites > Policies. (Site and device visibility restrictions are respected.) However, users cannot create new global policies or edit, delete, or copy existing ones. In the Device Summary > Policies card, users can click the name of a global policy if they also have at least View permission for Sites > Policies. Users can view Managed applications on the Device Summary page. Refer to Applications. |
New UI:
Same as for View permission but users can also create, edit, delete, or copy global policies. Users can enable or disable policies from the Policies card on the Device Summary page if they also have at least View permission for Sites > Policies. The Best Practices button is displayed on the Policies page if users have Manage permission for ComStore > ComStore as well. |
|
| Filters | Current UI and New UI:
Users cannot view or create custom filters at the account/global level; however, they can access Default Device Filters. |
Current UI and New UI:
Same as for None permission but users can also view filters created at the account/global level by any user that has shared the filter with their assigned security level. |
Current UI and New UI:
Same as for View permission but users can create, edit, and delete their own filters and filters that have been shared with them at the account/global level. |
| Groups | Current UI and New UI:
Users cannot view or create groups at the account/global level. |
Current UI and New UI:
Users can view groups created at the account/global level by any user that has shared the group with their assigned security level. |
Current UI and New UI:
Users can view, edit, and delete groups created at the account/global level. |
Sites
| None | View | Manage | |
|---|---|---|---|
| Sites | Current UI:
The Sites tab is displayed, but users cannot access the list of sites when clicking the tab. NOTE It is recommended to exclude sites individually instead of limiting access to the Sites tab. |
Current UI:
Users can view the list of all sites they have access to. Users cannot create, edit, or delete sites, although they may have group and filter access. |
Current UI:
Same as for View permission but users can also create, edit, or delete sites. Groups cannot be created (this requires the Groups permission below). Quick jobs can also be run if components are available. |
| New UI:
The Sites menu is displayed but users cannot access the list of sites. |
New UI:
Users can view the list of all sites they have access to, but they cannot create, edit, or delete sites although they may have group and filter access. Users can add a new device to the sites they have access to. Users can create a ticket in Autotask PSA if they also have at least View permission for Sites > Devices and Manage permission for Sites > Support. Refer to Creating a ticket - New UI. |
New UI: Same as for View permission but users can also create, edit, or delete sites. Users can edit site settings as well if they also have Manage permission for Sites > Settings. |
|
| Summary | Current UI:
Users cannot view a site's Summary page; however, the rest of the tools/actions (for example, Audit, Manage, etc.) can be accessed. Refer to Site lists. |
Current UI:
Users can view a site's Summary page. Although the Notes section appears, no notes can be logged. Users can only see the Patch Status pie chart if they also have at least View permission for Sites > Manage. |
Current UI:
Same as for View permission but users can also save notes. |
| New UI: Users will be unable to initiate a Web Remote session. |
New UI: Users can initiate a Web Remote session. |
New UI: Same as for View permission. |
|
| Devices | Current UI:
A site's Devices menu or tab is not displayed, and individual device pages cannot be accessed. |
Current UI:
A site's Devices menu or tab can be accessed, but the only actions that appear are Export to CSV and Refresh. On individual device pages, users can view device information but they cannot edit it. |
Current UI:
Same as for View permission but, depending on the user's security level permissions for other areas, expanded actions to move or edit devices and perform operations on them are shown on both the Devices tab and individual device pages. On individual device pages, users can edit device information if they have Manage permission for Sites > Summary as well. Users can also delete devices if they have Manage permission for Sites > Deleted Devices as well. Users can enable Privacy Mode for devices. |
| New UI:
The Devices menu is not displayed. Users with at least View permission for Sites > Sites can see the Devices menu and they can add a new device to any site they have access to; however, they cannot access any device. |
New UI:
The Devices menu is displayed, but users can only view devices if they also have at least View permission for Sites > Sites. Users can see device information but they cannot edit it or delete a device. Users can perform the Copy Device Information to Clipboard action. The users' ability to perform other device actions depends on their security level permissions for other areas of the web interface. Refer to the Security and navigation section in Device Summary - New UI and Devices - New UI. Users can create a ticket in Autotask PSA if they also have at least View permission for Sites > Sites and Manage permission for Sites > Support. Refer to Creating a ticket - New UI. Users can also approve application updates. Refer to Applications. Users can also view and search for device-related activity in the Activity Log. Refer to Activity Log. |
New UI:
Same as for View permission but users can also edit device information, perform actions on a device, or delete a device from any site they have access to if they also have at least View permission for Sites > Sites. The users' ability to perform device actions may depend on their security level permissions for other areas of the web interface. Refer to the Security and navigation section in Device Summary - New UI and Devices - New UI. |
|
| Audit | Current UI:
The Audit menu or tab is not displayed at either the site or the device level. |
Current UI:
The Audit tab is displayed at the site and device level. Users can view audit information. |
Current UI:
Same as for View permission but users can also manage, move, and delete discovered devices, and request device audits. |
| New UI:
The Request Audit action button is not displayed on the Device Summary page and displayed but unavailable on device list pages. |
New UI:
Same as for None permission. |
New UI:
Users can see the Request Audit action button on the Device Summary page and it is available on device list pages as well if they also have at least View permission for Sites > Sites and Sites > Devices. Users can request full and delta audits. |
|
| Manage | Current UI:
The Manage menu or tab is not displayed at the site level. The Manage menu or tab is displayed at the device level but it cannot be accessed. |
Current UI:
The Manage menu or tab is displayed and can be accessed at the site and device level. Patch Management: Refer to Site-level permissions and Device-level permissions. Software Management: Refer to Site- and device-level permissions. (Deprecated) iOS App Management: Users can view iOS App Management policies. IMPORTANT The Mobile Device Management (MDM) feature is no longer available. For more information, refer to this Community post. Backup Management: Users can view Datto backup appliance data but they cannot add devices. |
Current UI:
The Manage menu or tab is displayed and can be accessed at the site and device level. Patch Management: Refer to Site-level permissions and Device-level permissions. Software Management: Refer to Site- and device-level permissions. (Deprecated) iOS App Management: Users can view and create iOS App Management policies. IMPORTANT The Mobile Device Management (MDM) feature is no longer available. For more information, refer to this Community post. Backup Management: Users can view and map Datto backup appliance data. |
| Monitor | Current UI:
The Monitor menu or tab is not displayed at the site level. The Monitor menu or tab is displayed at the device level but the list of alerts cannot be accessed. |
Current UI:
The Monitor menu or tab is displayed and can be accessed at the site and device level. Users can view monitor alerts. Users can run jobs if they also have Manage permission for Jobs > Active Jobs. Users cannot create device-level monitors. |
Current UI:
Same as for View permission but users can also resolve and disable monitor alerts. Users can also create device-level monitors. |
| New UI:
Users can create and end maintenance mode windows. Users can create, enable, disable, and delete monitors in the Monitors card on the Device Summary page if they also have at least View permission for Sites > Sites. Users can create and edit webhooks. |
|||
| Support | Current UI:
The Support menu or tab is not displayed at the site level. The Support menu or tab is displayed at the device level but it cannot be accessed. |
Current UI:
The Support menu or tab is displayed at the site and device level. Users can view support tickets. |
Current UI:
Same as for View permission but users can also create and edit support tickets. |
|
|
|
New UI:
|
|
| Filters | Current UI and New UI:
Users cannot view or create site-level filters. |
Current UI and New UI:
Users can view filters created at the site level from all users. |
Current UI and New UI:
Same as for View permission but users can create, edit, and delete their own filters and filters that have been shared with them at the site level. |
| Groups | Current UI and New UI:
Users cannot view or create site-level groups. |
Current UI and New UI:
Users can use site-level groups that have already been defined, but they cannot add devices to the group and change group names. |
Current UI and New UI:
Users can view, edit, or delete groups created at the site level. |
| Policies | Current UI:
The Policies menu or tab is not displayed at either the site or the device level. |
Current UI:
The Policies menu or tab is displayed at the site and device level. Users can view site-level policies. Regarding Patch Management policies, refer to Site-level permissions and Device-level permissions. Regarding Software Management policies, refer to Site- and device-level permissions. |
Current UI:
Same as for View permission but users can also create and edit policies. Filters and groups can be applied depending on the user's security level permissions for filters and groups. Regarding Patch Management policies, refer to Site-level permissions and Device-level permissions. Regarding Software Management policies, refer to Site- and device-level permissions. |
| New UI:
The Policies menu and the Policies card on the Device Summary page are not displayed. Users cannot create new site policies. Users with at least View permission for Account > Policies can see the Policies menu; however, they cannot access the list of policies. |
New UI:
The Policies menu and the Policies card on the Device Summary page are displayed. Users can view details of site policies with Account > Policies permission set to None, but they cannot click on global policies. Users can click on and view details of global policies as well if they also have at least View permission for Account > Policies. Users can enable or disable policies from the Policies card on the Device Summary page if they also have Manage permission for Account > Policies. Users cannot create new site policies or edit, delete, or copy existing ones. Users can view Managed applications on the Device Summary page. Refer to Applications. |
New UI:
Same as for View permission but users can also create, edit, delete, or copy site policies. The Best Practices button is displayed on the Policies page if users have Manage permission for ComStore > ComStore. |
|
| Settings | Current UI:
A site's Settings menu or tab is not displayed. |
Current UI:
A site's Settings menu or tab is displayed. Users can view the settings of individual sites but they cannot configure them. |
Current UI:
Same as for View permission but users can configure the settings of individual sites. |
| New UI:
Users cannot view site settings. The Setup > Credentials menu is displayed; however, users cannot view or create site-level credentials. |
New UI:
Users can view site settings if they also have Manage permission for Sites > Sites; however, they cannot edit or delete these settings. On the Setup > Credentials page, users can view site-level credentials for the sites they have access to if they also have at least View permission for Sites > Sites; however, they cannot create, edit, or delete site-level credentials. |
New UI:
Users can view, edit, and delete site settings if they also have Manage permission for Sites > Sites. On the Setup > Credentials page, users can view, create, edit, and delete site-level credentials for the sites they have access to if they also have Manage permission for Sites > Sites. |
|
| Deleted Devices | Current UI and New UI:
Users cannot delete devices even if they have Manage permission for Sites > Devices. NOTE The Sites > Manage Deletions option is only displayed for users with Administrator security level. |
Current UI and New UI:
Same as for None permission. |
Current UI and New UI:
Users can delete devices if they have Manage permission for Sites > Devices as well. NOTE The Sites > Manage Deletions option is only displayed for users with Administrator security level. |
Components
| None | View | Manage | |
|---|---|---|---|
| Components | Current UI:
The Components tab is displayed, but users cannot view the list of their components or select any components as part of jobs. |
Current UI:
The Components tab is displayed. Users can see and choose components as part of jobs but they cannot export, edit, copy, or delete them. Users can view component scripts (and download files), but they cannot edit the scripts. Users can mark components as favorites. Users cannot change the component level of components on the Component List page. Users can run jobs if they have Manage permission for Jobs > Active Jobs as well. |
Current UI:
Same as for View permission but users can also export, edit, copy, and delete components. Users can also change the component level of components on the Component List page. |
| New UI:
The Component Library is not displayed, and the list of components cannot be accessed. |
New UI:
The Component Library is displayed. Users can view components in the list, view individual component details including component scripts, search for components, and view component groups. Users can create jobs with selected components if they also have Manage permission for Jobs > Active Jobs. |
New UI:
Same as for View permission but users can also create, edit, and delete components, add components to and remove components from groups, create new component groups, set components as User Tasks, and update, copy, import, and export components. |
|
| User Tasks | Current UI:
Users cannot see if a component in the Component Library has been marked as a User Task. |
Current UI:
Same as for None permission. |
Current UI:
Users can see if a component in the Component Library has been marked as a User Task, and they can click the Toggle User Task icon to enable or disable a component as a User Task. |
| New UI:
Users can see if a component in the Component Library has been set as a User Task. |
New UI:
Same as for None permission. |
New UI:
Same as for None and View permission but users can also set or unset components as a User Task if they also have Manage permission for Components > Components. |
ComStore
| None | View | Manage | |
|---|---|---|---|
| ComStore | Current UI:
The ComStore tab is displayed, but the list of components cannot be accessed. |
Current UI:
The ComStore tab is displayed. Users can browse the ComStore and search for components, but they cannot add the components on display to the Component Library. |
Current UI:
Same as for View permission but users can also add components to the Component Library. |
| New UI:
The Automation > ComStore menu is not displayed, and the list of components in the ComStore cannot be accessed. Users cannot add components from the ComStore to jobs. |
New UI:
The Automation > ComStore menu is displayed. Users can browse the ComStore and search for components, but they cannot add the components on display to the Component Library. Users cannot add components from the ComStore to jobs. |
New UI:
Same as for View permission but users can also add components from the ComStore to the Component Library and to jobs. The Best Practices button is displayed on the Policies page, and users can add and configure ComStore policies if they also have Manage permission for Account > Policies (for global policies) and Sites > Policies (for site policies). |
Jobs
| None | View | Manage | |
|---|---|---|---|
| Active Jobs | Current UI:
The Jobs tab is displayed, but jobs and quick jobs cannot be accessed, scheduled, or run. |
Current UI:
The Jobs tab is displayed, but the New Job option is not available. Users can access Active Jobs and Completed Jobs, but they cannot schedule, run, edit, retire, or delete jobs and quick jobs. |
Current UI:
Same as for View permission but the New Job option is also available. Users can schedule, run, edit, retire, and delete jobs and quick jobs. When viewing the results of a job, users can select one or more devices and schedule a job, run a quick job, rerun a job, add the devices to a group, export StdOut (standard output) and StdErr (standard error) messages, and resend the run job message. |
| New UI:
The Automation > Jobs menu is not displayed, and jobs and quick jobs cannot be accessed, scheduled, or run. |
New UI:
The Automation > Jobs menu is displayed. Users can view jobs, but they cannot schedule, run, edit, retire, or delete jobs and quick jobs. |
New UI:
Same as for View permission but users can also schedule, run, edit, retire, and delete jobs and quick jobs. When viewing the results of a job, users can select one or more devices and schedule a job, run a quick job, rerun a job, add or remove the devices to or from a group, create a new device group, and export StdOut (standard output) and StdErr (standard error) messages. Users can add components from the ComStore to jobs if they also have Manage permission for ComStore > Comstore. On the Device Summary page and in device lists, users can perform the Patch Now and Schedule Reboot actions if they also have at least View permission for Sites > Sites and Sites > Devices. |
Reports
| None | View | Manage | |
|---|---|---|---|
| Active Reports | Current UI:
The Reports tab is displayed, but reports and exports cannot be accessed, scheduled, or run. |
Current UI:
The Reports tab is displayed, but the New Report option is not available. Users can access Active Reports and Completed Reports, but they cannot schedule, run, edit, or delete reports and exports. |
Current UI:
Same as for View permission but the New Report option is also available. Users can schedule, run, edit, and delete reports and exports. |
| New UI:
The Analytics > Reports menu is not displayed. The Quick Report action button cannot be accessed on the Device Summary page and on device list pages. |
New UI:
The Analytics > Reports menu is displayed. The Quick Report action button cannot be accessed on the Device Summary page and on device list pages. On the Reports page, users cannot create new reports. Users can access Active Reports and Completed Reports; however, they cannot edit or delete existing reports. |
New UI:
Same as for View permission but users can also create, edit, and delete reports. The Quick Report action button can also be accessed on the Device Summary page and on device list pages. |
Setup
| None | View | Manage | |
|---|---|---|---|
| Billing | Current UI:
Billing is not displayed in the Setup tab. A banner is displayed if the license limit has been exceeded. |
Current UI:
Billing is not displayed in the Setup tab unless the Datto RMM account is expired or suspended. A banner is displayed if the license limit has been exceeded. |
Current UI:
Same as for View permission but users can request subscription increase. |
| New UI:
The Setup > Licenses menu is not displayed. A banner is not displayed if the license limit has been exceeded. |
New UI:
The Setup > Licenses menu is displayed. Users can view their Managed device, Ransomware Detection, and OnDemand license count and usage, but they cannot add licenses. A banner is not displayed if the license limit has been exceeded. |
New UI:
Same as for View permission but users can also add Managed device and Ransomware Detection licenses. A banner is displayed if the license limit has been exceeded. |
|
| My Info | Current UI:
My Info is displayed in the Setup tab, but it cannot be accessed. |
Current UI:
My Info is displayed in the Setup tab and can be accessed. In the My Info section, users can configure their language and default security level. These changes do not apply to other users within the account. In the Security Settings section, users can click Datto Portal User Settings. This directs them to the Datto Portal where they can update their user settings. |
Current UI:
Same as for View permission. |
| Messages | Current UI:
Messages is not displayed in the Setup tab. The Send a message to the selected devices action bar icon is not displayed on device list pages, the Device Summary page, and the Device Audit page. |
Current UI:
Same as for None permission. |
Current UI:
Messages is displayed in the Setup tab. Users can view and delete previously sent messages to devices they have access to if they also have at least View permission for Sites > Devices. The Send a message to the selected devices action bar icon is displayed on device list pages, the Device Summary page, and the Device Audit page. |
| New UI:
The Send Message action button is not displayed on the Device Summary page and displayed but unavailable on device list pages. |
New UI:
Same as for None permission. |
New UI:
Users can see the Send Message action button on the Device Summary page and it is available on device list pages as well if they also have at least View permission for Sites > Sites and Sites > Devices. |
|
| Account Settings / Global Settings |
Current UI:
Account Settings is not displayed in the Setup tab. |
Current UI:
Account Settings is displayed in the Setup tab and can be accessed, but users cannot configure the settings. |
Current UI:
Account Settings can be accessed, and users can configure all settings. |
| New UI:
The Setup > Global Settings menu is not displayed. The Setup > Credentials menu is displayed, but users cannot view or create global credentials. |
New UI:
The Setup > Global Settings menu is displayed. Users can view global settings, but they cannot configure the settings. The Setup > Credentials menu is displayed, and users can view global credentials, but they cannot create, edit, or delete global credentials. |
New UI:
Same as for View permission but users can also configure all settings on the Global Settings page and view, create, edit, and delete global credentials on the Credentials page. |
|
| Integrations | Current UI:
Integrations is not displayed in the Setup tab. |
Current UI:
Integrations is displayed in the Setup tab, but the integrations cannot be accessed. |
Current UI:
Same as for View permission but users can access and configure the integrations. |
| New UI:
The Setup > Integrations menu is not displayed. |
New UI:
Same as for None permission. |
New UI:
The Setup > Integrations menu is displayed. Users can access and configure the integrations. |
Remote control tools
This section controls access to remote tools available in the web interface and the Agent Browser, or in Web Remote sessions or chats. When creating a new security level, all tools listed in the table below are enabled by default. The table specifies which tools are available in the web interface and the Agent Browser, and via Web Remote. Disabling any of the tools will inactivate that tool for the user who is a member of the security level.
NOTE Changes made in this section will only come into effect once the Agent Monitor application on the remote device has been exited and restarted.
Detailed information about how to access the tools can be found in the following topics:
- Device lists (current UI)
- Action buttons (New UI)
- Agent Browser tools
- Web Remote
To learn more about each tool and which device types they are available for, click the referenced sections in the table below.
| Field | Description | Web Interface | Agent Browser | Web Remote |
|---|---|---|---|---|
| Toggle all | Enabled by default for new accounts. Click On or Off to enable or disable all options listed below. |
|
||
| Chat | For the Agent Browser, refer to Chat. For Web Remote, refer to Initiate a Web Remote chat. |
|
|
|
| Command Shell | Refer to Command Shell. |
|
|
|
| Custom Connection | Refer to Connect (Custom Tunnel). |
|
|
|
| Drive Information | Refer to Drive Information. |
|
|
|
| Event Viewer | Refer to Event Viewer. |
|
|
|
| File Manager | For the Datto RMM Agent, refer to File Management. For Web Remote, refer to File Transfer. This option must be enabled for users, including users with Support Access enabled, to download a device's Agent logs. Refer to Download Agent Logs. |
|
|
|
| HTTP | Refer to Connect (HTTP). |
|
|
|
| LAN Deploy | Refer to Agent Deployment. |
|
|
|
| Notes | Refer to Notes. |
|
|
|
| PowerShell | Allows you to use RDP in the New UI and PowerShell. Refer to RDP and PowerShell. NOTE Disabling the PowerShell tool will disable RDP in the New UI. |
|
|
|
| Quick Jobs | Refer to Quick Jobs. |
|
|
|
| RDP | Allows you to use RDP in the current UI and Splashtop. Refer to RDP and Splashtop Remote Screen Share Integration. NOTE To use RDP in the New UI, enable the PowerShell tool. |
|
|
|
| Registry Editor | Refer to Registry Editor. |
|
|
|
| Restart/Shutdown | Refer to Restart and Shut Down. |
|
|
|
| Screen Share | Refer to VNC. |
|
|
|
| Screenshot | Refer to Screenshot. |
|
|
|
| Services | Refer to Windows Services. |
|
|
|
| SSH/Telnet | Refer to Connect (Telnet/SSH). |
|
|
|
| Task Manager | Refer to Task Manager. |
|
|
|
| Thumbnail Screen | Refer to Thumbnail Screen. |
|
|
|
| Wake-on-LAN | Refer to Wake Up. |
|
|
|
| Web Remote | Refer to Web Remote. |
|
|
Membership
This section allows you to assign the security level to a list of users. To include or exclude users, follow these steps:
- Click Add User.
- From within the pane that opens, click Add for each user you wish to include in this security level or click Add All to include all users. You can use the search bar to search for a user, or you can simply scroll down in the list. Click Remove for each user you wish to exclude from this security level. When you are finished, click X to close the pane.
- You can also remove users in bulk or individually on the Create Security Level page by clicking the Remove All button or the Remove icon, respectively.
IMPORTANT You cannot remove a user from a security level if it is their default security level. When saving your changes, a warning message will appear listing all users that cannot be removed. Click the Add All button to add these users back to the members list.
You can update a user's default security level when editing the user. Refer to Editing a user.
The table density is set to Condensed Theme by default. To change it to Relaxed Theme, click the density toggle icon at the top right of the table. The selection will persist across all pages.
The number of results displayed can be specified by selecting the desired number from the drop-down menu at the bottom of the table. This selection will persist the next time the page is accessed.
Saving the security level
When you are finished creating the security level, click Create Security Level. Once the security level has been saved, you will be redirected to the Security Levels page.
If you do not wish to save the security level, click Cancel.
Testing a security level
When you create a new security level, we recommend that you assign it to yourself first to see if it restricts or allows everything you want it to. Testing a security level is important to ensure that users with that security level are able to access the tools or information they require to perform their daily tasks. It is also equally important to ensure that they don't have access to anything they shouldn't. To learn how you can change security levels to test them, refer to Switching security levels.
IMPORTANT If you give third-party users (such as your customers) access to the account, ensure that the security level restrictions meet your internal data security requirements.
Viewing and managing security levels
List of security levels
Navigate to the Security Levels page by following the navigation path described above.
The table displays the following information:
| Field | Sortable? | Description |
|---|---|---|
| Name |
|
The name of the security level. To narrow the list, click the Filter Menu icon, enter a term, and click Search. To see the full list, click Reset. Click the name of the security level to edit the security level. Refer to Creating a security level. |
| Description | The description of the security level. |
The table density is set to Condensed Theme by default. To change it to Relaxed Theme, click the density toggle icon at the top right of the table. The selection will persist across all pages.
The number of results displayed can be specified by selecting the desired number from the drop-down menu at the bottom of the table. This selection will persist the next time the page is accessed.
Action buttons
The action buttons are grayed out if no row is selected. The selection box allows you to select one row at a time. The table below lists all available action buttons.
| Action Button | Description |
|---|---|
| Copy | Allows you to copy an already existing security level. You can then modify the security level details of the copy as necessary. The copy will be named Copy of [existing security level's name] by default. Refer to Creating a security level. |
| Delete | Deletes the selected security level upon confirmation. When you click the Delete action button, a dialog box appears where you need to perform the following before clicking Delete again: • From the drop-down list, select a replacement security level for the security level you wish to delete. Note that the first security level that appears in the drop-down list is Administrator; however, you can select any of the existing security levels listed below Administrator. • Enter the name of the security level you wish to delete to confirm this action.  IMPORTANT The following actions are performed when a security level is deleted: |
Editing a security level
Navigate to the Security Levels page by following the navigation path described above. You can edit a security level in the following ways:
- To update the details of a security level, click its name in the list. Refer to Creating a security level.
- To delete a security level, select it from the list and click Delete. Refer to Delete.
- To copy a security level, select it from the list and click Copy. Refer to Copy.
Switching security levels
If a user has more than one security level assigned, they can change their security level in the web interface or in the Agent Browser.
New UI
Refer to Current Security Level in My Settings.
Current UI
- In the top-right corner of the Web Portal, click your current security level to see a list of available security levels.
- Select the required security level.
- The page will automatically refresh and the selected security level will be applied.
Switching your security level will only apply to your current session. Your default security level will be used the next time you log in to your account.
Agent Browser
- On the local device where Datto RMM is installed, right-click the Datto RMM Agent icon in the system tray and click Open.
- Log in with your credentials.
- Click the first menu option in the top left corner of the Agent Browser.
- Hover over Security Level and select the required security level from the list.
- You will be logged out of the Agent automatically.
- Log back in to be able to use the selected security level.
Best Practices (security level templates)
Navigate to the Security Levels page by following the navigation path described above. Click Best Practices and then click Create next to one of the security level templates.
These templates serve as guides with recommended settings for common use cases; however, you can change any of the settings before saving the security level. Refer to Creating a security level.
Customer Internal IT
In this scenario, one of your customers has an internal IT department and will use your RMM to service their devices. The template is configured the following way:
Name: Internal IT (Template)
Description: Template for internal IT team to access their own devices.
Configuration - Device Visibility:
| Field | Description |
|---|---|
| Sites | Enabled. Add sites that members of this security level should be able to access. |
| Site Device Groups | Disabled. |
| Device Groups | |
| Site Groups |
Configuration - Permissions:
| Area | Permissions |
|---|---|
| Global | Disabled. |
| Sites | Enabled. None: Monitor, Support, Filters, Groups, Policies, Settings, Deleted Devices View: Sites, Summary, Audit, Manage Manage: Devices |
| Components | Disabled. |
| ComStore | |
| Jobs | |
| Reports | |
| Setup |
Remote control tools: All tools are enabled except LAN Deploy and Notes.
Membership: No users are added. Add users that should be members of this security level.
Tier 1/Helpdesk
In this scenario, your technicians have different access privileges based on role. This security level is suitable for screensharing and basic access. The template is configured the following way:
Name: Tier 1 Helpdesk (Template)
Description: Template for your Tier 1 or Helpdesk staff. This security level permits members to remotely control devices with limited other access.
Configuration - Device Visibility:
| Field | Description |
|---|---|
| Sites | Enabled. All sites are included. |
| Site Device Groups | Disabled. |
| Device Groups | |
| Site Groups |
Configuration - Permissions:
| Area | Permissions |
|---|---|
| Global | Enabled. None: Audit, Manage, Monitor, Support, Policies, Filters, Groups View: Dashboard Manage: N/A |
| Sites | Enabled. None: Policies, Settings, Deleted Devices View: Sites, Summary, Audit, Manage, Monitor, Support, Filters, Groups Manage: Devices |
| Components | Disabled. |
| ComStore | |
| Jobs | Enabled. None: N/A View: N/A Manage: Active Jobs |
| Reports | Disabled. |
| Setup |
Remote control tools: Chat, Quick Jobs, Screen Share, Screenshot, Task Manager, Thumbnail Screen, and Web Remote are enabled. The rest of the tools are disabled.
Membership: No users are added. Add users that should be members of this security level.
Account Manager/Sales/Non-Technical
In this scenario, you have non-technical staff who need access to device information only. The template is configured the following way:
Name: Account Manager/Sales/Non-Technical (Template)
Description: Template for sales or non-technical staff. This security level permits members to view device information only with no remote control to devices.
Configuration - Device Visibility:
| Field | Description |
|---|---|
| Sites | Enabled. All sites are included. |
| Site Device Groups | Disabled. |
| Device Groups | |
| Site Groups |
Configuration - Permissions:
| Area | Permissions |
|---|---|
| Global | Enabled. None: Monitor, Support, Policies View: Dashboard, Audit, Manage, Filters, Groups Manage: N/A |
| Sites | Enabled. None: Monitor, Support, Policies, Settings, Deleted Devices View: Sites, Summary, Devices, Audit, Manage, Filters, Groups Manage: N/A |
| Components | Disabled. |
| ComStore | |
| Jobs | |
| Reports | Enabled. None: N/A View: N/A Manage: Active Reports |
| Setup | Disabled. |
Remote control tools: All tools are disabled.
Membership: No users are added. Add users that should be members of this security level.
